Key Management Service concept
  • PDF

Key Management Service concept

  • PDF

Available in Classic and VPC

This guide describes various basic concepts related to encryption and encryption keys for the smooth use of Key Management Service.

Data encryption

Data encryption refers to converting plaintext data into ciphertext data that can't be interpreted using a random key. The user can obtain the original plaintext data after going through a decryption process using an appropriate key for the ciphertext data. Here, the most important factor is the "key." It is known that if the key is securely protected, it is almost impossible to expose the plaintext through unauthorized means. If both the sending and receiving parties that want to send and receive data know the key shared securely, encryption/decryption communication using the key can ensure the confidentiality of data. There may be many ways to encrypt/decrypt data by securely sharing keys between transmission and reception in communication, but well-known SSL and TLS protocols are generally used.

Key lifecycle

Encryption keys have a series of lifecycles when encrypting data, where they are created and then expire. According to the lifecycle, the key can be categorized into the following states: Available, Disabled, Deletion requested, and Deleted. Key status is inherited by all versions of that key. For example, if the status of a key with 3 versions switches to Disabled, all 3 versions will become Disabled. If it is activated again and becomes Available, the version status automatically reverts to the status it had previously.

kms-1-1-3_en

In Key Management Service, you can create and manage up to 100 versions per key, and the status of the key is inherited by all versions of that key. For example, if the status of a key with 3 versions switches to Disabled, all 3 versions will become Disabled. If it is activated again and becomes Available, the version status automatically reverts to the status it had previously. The following describes each status of the lifecycle.

  • Creation
    When a key creation is requested, it is created securely according to the key creation procedure from the key management recommendation, and a unique identifier is given. Once an identifier is given to the key, it is stored safely in encrypted storage, and a backup point is created in preparation of emergency.

  • Available
    It refers to keys that can be used for all encryption/decryption requests. Created keys are automatically activated and switched into Available, and they can be deactivated at any time to stop being used. Keys in the Available status are subject to administrative billing.

  • Disabled
    It refers to keys that are deactivated to stop being used, and they can be activated at any time to be switched back to the Available status. In order to maintain them to be available at any time, keys in the Disabled status follow the rotation cycle. It means that even keys in the Disabled status are rotated as scheduled on the next rotation day and updated to the new version. Keys in the Disabled status can't be used for encryption/decryption requests. Keys in the Disabled status are subject to administrative billing.

  • Deletion requested
    It refers to keys requested to be deleted by the user to reduce misuse and unnecessary maintenance, as they're no longer used. Keys in the Deletion requested status are permanently deleted 72 hours after the user's key deletion request. Keys deleted by the user's request can't be restored. When requesting deletion, you must carefully request it after checking that no users are using it anymore. However, the deletion request can be canceled before the final deletion, and the key whose deletion request has been canceled is immediately switched into the Disabled status. As with the Disabled status, keys in the Deletion requested status follow the rotation cycle, and are subject to administrative billing. If no user is currently using the key, you can click the [Delete immediately] button to proceed with permanent deletion right away.

  • Deleted
    It refers to permanently deleted keys, and they can't be directly verified by the user. These keys are also deleted within Key Management Service. You can only request to check the management information such as key information and usage history through NAVER Cloud Platform's Support > Contact us. The management information of deleted keys is maintained for one year and then deleted.

Envelope encryption

There are many ways to encrypt data using keys. Among them, the envelope encryption method is recommended as it satisfies both data confidentiality and control through hierarchical key management. This section introduces the concept of envelope encryption, and describes the key hierarchy and policy to be understood when using envelope encryption through Key Management Service.

Hierarchical management of keys

Generally, encryption is used to protect data, but applying encryption doesn't guarantee complete protection of data. The standard of how well the data is protected depends on how the encryption keys are managed, rather than the simple fact that encryption is applied. It is best to manage keys using a secure key management solution. In these cases, an important factor to consider is the guarantee of data control. The guarantee of data control refers to not only the ability to access data when necessary, but also the compliance with access control principles that can fundamentally block unauthorized access. If keys are entrusted and stored externally, it increases the number of external contacts where data decryption may be performed, thus increasing the threat for data control. One of the most well-known and secure encryption key management methods is managing key hierarchically. In other words, the key used directly for data encryption is protected by encrypting it with another key. At this time, another key that encrypts the key is commonly referred to as the master key. If you manage the master key using a key management solution in or outside the organization, the threat for data control can be reduced. This encryption method that manages keys hierarchically is called envelope encryption. It is a method that satisfies both data confidentiality and control by protecting the cryptography used to encrypt data, rather than protecting the data by encrypting it directly.

kms-1-1-1_en

In envelope encryption, the key that encrypts/decrypts the actual data is the data key. If you use the envelope encryption method through Key Management Service, the data key can be sealed and managed. However, at the time of encrypting/decrypting the actual data, the unsealed data key is used. After receiving the unsealed key through Key Management Service, the user is responsible for managing the key. After performing data encryption/decryption using the received key, it is recommended to immediately delete the key and only keep data keys in the sealed form.

Note

For a description of NAVER Cloud Platform and the user's shared responsibility model for cloud, refer to Security center in the NAVER Cloud Platform portal.

Key management policy

Since Key Management Service manages keys in a hierarchical structure, it is necessary to understand the concept and role of major keys by hierarchy.

kms-1-1-2_en

Data encryption key

It refers to keys used directly for data encryption/decryption, and they must be securely stored in the user managed area. If data encryption keys are protected through Key Management Service, the administrative burden can be reduced. To protect data encryption keys using Key Management Service, the user can directly create keys and "seal" them with user managed keys, or use Create User Custom Key, which is a custom key creation API of Key Management Service. Using the API is beneficial since you can obtain a securely generated random key as well as its encrypted form with a user managed key, at once.

User managed key

It refers to keys the user created on Key Management Service. Their creation, rotation, and deletion are all managed by the user. The Key Management Service admins who manage all keys in the keystore or users with key manager permissions, which enable management of assigned keys, can conveniently manage keys in the NAVER Cloud Platform console. If a user managed key is used to protect data encryption keys, it is referred to as key encryption key or master key.

Root key

User managed keys are encrypted with a key called system operation key or root key and stored in the internal storage of Key Management Service. The root key is created through a secure key creation procedure. Afterward, the root key is also managed under the same management policy as the user managed keys. For example, the root key is also rotated and renewed every year, and key access permissions are managed strictly. Its only difference from user managed keys is that the key activation process is done offline.

In preparation of the case the root key is lost or the case the root key manager performs malicious actions, the root key is divided into multiple pieces and stored separately on a physical security medium. The three admins that manage these key pieces seal the physical security medium, and store them by isolating them locally in a fire-resistant data vault installed at the IDC where the system is operated. Once the key is sealed, access to the key requires strict procedures, including obtaining approval of multiple persons in charge and accompanying a third party with a recording device.


Was this article helpful?